Novell eDirectory 8.7.3 SP10b for Solaris, Linux, and AIX July 01, 2008 1.0 Overview 2.0 Installation 2.1 Prerequisites 2.2 Component Versions With this Patch 2.3 Installing or Upgrading eDirectory 3.0 Known Issues 3.1 Installation and Configuration Issues 3.2 iMonitor Issues 3.3 Executing ndsimonitor on Solaris 9 Generates an Error Message 3.4 ConsoleOne Issues 3.5 SNMP Issues 3.6 Increasing the Size of the eDirectory Log Files 3.7 Faxparameters Issue with NLDAP 3.8 Replacing an Attribute With a Zero Length Value Through ICE Deletes the Attribute 3.9 NetMail Version for Upgrading to eDirectory 8.7.3.x 3.10 Repair Issues 3.11 Missing IP Address Entry in the /etc/hosts File on Linux 3.12 Manpaths 3.13 Creating LDAP Server and Group Objects in iManager 3.14 ndsconfig cannot Set IP Address for n4u.server.interfaces 3.15 Novell Account Management Fails on a Solaris 8 Server Running a Kernel Patch Level of 108528-14 or Higher on Upgrading from eDirectory 8.7 to 8.7.3.x 3.16 Increasing the Speed of Bulkloads 3.17 Extended Characters Not Supported by LDAP Tools 3.18 OpenSLP Does Not Work on 64-bit SLES 9 3.19 Error While Starting ndsd with Locale Other Than English 3.20 DirXML Issues 3.21 Hard Cache Considerations for Solaris 3.22 ICE Plug-in Won't Authenticate in iManager for Import on Linux 3.23 Errors When Running edirutil -i on Linux 3.24 File Descriptor Limitation on Solaris 3.25 Cannot View Password Plugin in iManager on Logging in to eDirectory 8.7.3 SP10 3.26 Nds-uninstall Removes Only 8.7.3.10 eDirectory Administration Utilities 4.0 Change Log 4.1 ds 4.2 nldap 4.3 ncpengine 4.4 install 4.5 ldap 4.6 iMonitor 4.7 dsrepair 4.8 snmp 4.9 eMBox 4.10 httpstk 4.11 ice 4.12 jclient 5.0 Documentation Issues 5.1 eDirectory 8.7.3 Documentation 5.2 Additional Readme Information 6.0 Legal Notices 1.0 Overview This patch is an update to the original release of Novell eDirectory 8.7.3. It contains all the fixes and updates since eDirectory 8.7.3 shipped. This update is for the Solaris, Linux, and AIX platforms only. 2.0 Installation - 2.1 Prerequisites - 2.2 Component Versions With this Patch - 2.3 Installing or Upgrading eDirectory 2.1 Prerequisites - 2.1.1 Solaris - 2.1.2 Linux - 2.1.3 AIX 2.1.1 Solaris - One of the following: - Solaris 8 on Sun SPARC (with patch 108827-20 or later) - Solaris 9 on Sun SPARC - All latest recommended set of patches available on the SunSolve Web page (http://sunsolve.sun.com). If you do not update your system with the latest patch before installing eDirectory, you will get the patchadd error. 2.1.2 Linux - One of the following: - OES Linux SP2 32 bit - SUSE Linux Enterprise Server 9 32 and 64-bit SP3 and SP4 (both 32 and 64-bit) - SUSE Linux Enterprise Server 10 32 and 64-bit To determine the version of SUSE Linux you are running, see the /etc/SuSE-release file. - Red Hat Enterprise Linux ES & AS 3.0 32-bit - Red Hat Enterprise Linux AS 4.0 32 and 64-bit - Ensure that gettext is installed. To install gettext, search the rpmfind (http://rpmfind.net) Website for gettext. 2.1.3 AIX - AIX 5L Version 5.2 - All recommended AIX OS patches, available at the IBM Tech Support (https://techsupport.services.ibm.com/s erver/fixes) Website 2.2 Component Versions With this Patch - 2.2.1 Linux - 2.2.2 Solaris - 2.2.3 AIX 2.2.1 Linux ice 10552.76 ndsd 10554.34 nldap 10555.98 ndssnmp 10552.40 ndstrace 10554.34 ndsconfig 10553.71 ndsimonitor 20212.63 ndsrepair 10551.81 2.2.2 Solaris ice 10552.76 ndsd 10554.34 nldap 10555.98 ndssnmp 10552.40 ndstrace 10554.34 ndsconfig 10553.71 ndsimonitor 20212.63 ndsrepair 10551.81 2.2.3 AIX ice 10552.76 ndsd 10554.34 nldap 10555.98 ndssnmp 10552.40 ndstrace 10554.34 ndsconfig 10553.71 ndsimonitor 20212.63 ndsrepair 10551.81 2.3 Installing or Upgrading eDirectory - 2.3.1 Pre-Installation Notes - 2.3.2 Installing eDirectory - 2.3.3 More Information 2.3.1 Pre-Installation Notes - Install this on a full installation of eDirectory 8.7.3.x. - Don't install on DS 8.x.x or eDirectory 8.5.x, 8.6.x, 8.7.0. or 8.7.1. - This patch has only been tested using the latest support packs and on eDirectory 8.7.3.x supported platforms. This patch is also supported on RedHat Advanced Server 3.0 (RHAS3.0) and SUSE Linux Enterprise Server 9 and 10 (SLES9 & 10). - eDirectory 8.7.3 SP8 onwards, the security updates are no longer included with the eDirectory patch. You need to download the security separately from the http://download.novell.com. We highly recommend you to use SSP205 in combination with eDirectory 8.7.3 SP10. - Minimum patch requirements for Solaris 9: The patch requires that on Solaris 9 a set of patches from Sun must be installed before applying this patch. These patches are required to support Sun's 'libumem' memory allocator which improves performance on Solaris 9. 112874-13 (or newer) libc patch 114370-01 (or newer) libumem.so.1 114371-01 (or newer) libumem; mdb components patch 114373-01 (or newer) abi_libumem.so.1 patch 112233-11 (or newer) SunOS 5.9: Kernel patch - Extracting the patch on Solaris may fail with checksum errors. This occurs when using a version of the Solaris 'tar' that has not been updated. Using the GNU 'tar' will work. Sun has also fixed this issue in the following patches: SPARC Solaris 8: 110951 SPARC Solaris 9: 115336 - Single user mode (runlevel 1) on Red Hat Linux: In order to successfully run in single user mode on Linux (ie: init 1) then you must remove the symbolic link /etc/rc.d/rc1.d/S54ndsd. You will only need to do this one time. If you do not do this then eDirectory will try to start during the initialization of the runlevel. - Installing this patch on Solaris without first configuring a tree may generate errors during installation. To install on Solaris in this situation follow this order: 1. Install eDirectory 8.7.3 2. Install NICI as required by the security patches contained in this release 3. Install NMAS server and security updates contained in this release 4. Install this eDirectory patch 5. Configure a tree as per normal using ndsconfig 2.3.2 Installing eDirectory This patch release is only for a server currently running eDirectory 8.7.3.x. It requires that eDirectory 8.7.3.x already be installed on the server. If the server is running an earlier version of eDirectory you must upgrade that server's version of eDirectory to 8.7.3.x before applying this patch. The full 8.7.3.x product can be found at http://download.novell.com. This patch can then be applied. For more information on installing eDirectory 8.7.3.x, refer to the "Novell eDirectory 8.7.3 Installation Guide" (http://www.novell.com/documentation/lg/ed ir873/index.html). Complete the following procedure to install eDirectory: 1. Download the tarred compressed file to your UNIX system. 2. Extract the file using the following command: gzip -dc edir87310.tgz | tar xvf - 3. Change to the ./edir87310 directory. 4. Ensure eDirectory has been completely stopped first by using the following command depending on the platform: Linux: /etc/init.d/ndsd stop Solaris: /etc/init.d/ndsd stop AIX: /etc/ndsd stop 5. Type ./install.sh as the root user to proceed with the installation. If you wish to execute the eDirectory update directly then type ./install.sh [options] as the root user. -f --force Force the installation of the patch at all costs (continues on failure). -s --showall Display the package versions that are installed for Novell products. -i --showinstalled Display the installed package versions for the packages that are included in this patch. -n --noansi Disable the use of ANSI colours. If the terminal type is 'xterm' then colours will be disabled by default. -y --yesansi Enable the use of ANSI colours. -ne --noerrors Disable the display of expanded error messages that are shown when an error is generated. -u --unattended Allows the patch to be installed in unattended mode. Will stop if an error is encounted unless the --force switch is also used. -a --autostart Attempt to start the product after the installation process. -h --help Displays this command line help. 6. If you have Novell iManager installed then after the installation you will need to restart the Tomcat and Apache2 daemons. Use the following commands to do this: Linux: - Tomcat: /etc/init.d/novell-tomcat4 start - Apache: /etc/init.d/novell-httpd start Solaris: - Tomcat: /var/opt/novell/tomcat4/bin/ startup.sh - Apache: /var/opt/novell/httpd/bin/ap achectl startssl 7. eDirectory 8.7.3 SP8 onwards, the Security updates (NMAS, PKI, NTLS, and NICI) are not included in the eDirectory patch. To get the latest Security Patches, visit http://download.novell.com (http://download.novell.com). Select Security Services | Search from the Product or Technology drop down menu. Download and install the platform specific patch and NMAS methods. Novell recommends you to use the SSP 205 security patch in combination with eDirectory 8.7.3 SP10. 2.3.3 More Information For additional information regarding this patch refer to the following Technical Information Documents on the Novell Support Knowledgebase at http://support.novell.com/search/kb_index. jsp: TID 10094651: The Linux NDS SNMP Subagent "ndssnmpsa" will not start TID 10096146: Connection lost to eDirectory 8.7.3, on Red Hat AS 3.0 Server, while bulk loading objects TID 10096145: eDirectory 8.7.3 runs out of memory, on Red Hat AS 3.0 Server, while running repeated LDAP operations TID 10097153: NDSD will not start after installing Solaris 9 patches TID 10097186: nds-uninstall fails to remove the NDSserv package on RedHatTID 10097155: Can't run repair and rename tree operations, via embox, on RedHat TID 10097143: How to enable the FLAIM memory pre-allocation feature TID 10098714: How to configure dsbk for Linux and Unix 3.0 Known Issues 3.1 Installation and Configuration Issues - 3.1.1 X.509 and CertMutual Login Methods - 3.1.2 Installing and Configuring eDirectory on SUSE Linux Fails When DHCP is Configured - 3.1.3 Interoperability of eDirectory with SLP Shipped on Solaris 8.0 (Native SLP, slpd) - 3.1.4 Upgrading from eDirectory 8.6.2, 8.7, or 8.7.1 to eDirectory 8.7.3.x - 3.1.5 ndsconfig Creates the nds.conf File and the DIB Directory Even When Configuration Fails - 3.1.6 Unable to Configure the LDAP Server with Default SSL CertificateDNS Certificate. - 3.1.7 Specifying eDirectory Information During the Configuration - 3.1.8 Core DS Component Installation - 3.1.9 Installing eDirectory 8.7.3 SP10 on a SLES 9 Server - 3.1.10 SLP Issues on OES Linux - 3.1.11 NICI Issue in RedHat Linux - 3.1.12 Error Might Prompt while Installing eDirectory 8.7.3 SP10 on AIX - 3.1.13 Upgrading from eDirectory 8.7.3.7 to eDirectory 8.7.3.10a - 3.1.14 Dsbk Utility Fails in eDirectory 8.7.3 SP10a on Solaris 9.0 3.1.1 X.509 and CertMutual Login Methods The X.509 and CertMutual login methods that shipped with eDirectory 8.6.x are not compatible with eDirectory 8.7.3.x. When you upgrade from 8.6.x to 8.7.3.x, you must upgrade the X.509 and CertMutual login methods as well. The Certificate-based NMAS methods in NMAS EE 2.0 are also incompatible with eDirectory 8.7.3.x. 3.1.2 Installing and Configuring eDirectory on SUSE Linux Fails When DHCP is Configured On SUSE Linux, when DHCP is configured, installing and/or configuring eDirectory fails with the following error: "Can't contact LDAP server. Error (-1): Installation aborting." To resolve this error, make sure that the following entry is present in /etc/hosts before configuring eDirectory: 127.0.0.1 localhost.localdomain localhost If the entry 127.0.0.2 <>.localdomain <> is present in the file, add 127.0.0.1 <>.localdomain <> before the entry to look similar to the following: 127.0.0.1 <>.localdomain <> 127.0.0.2 <>.localdomain <> This change might affect other network applications. You might want to revert this change once the eDirectory configuration is completed. Reverting back will not impact the eDirectory services. 3.1.3 Interoperability of eDirectory with SLP Shipped on Solaris 8.0 (Native SLP, slpd) If Native SLP is already present and configured, the eDirectory installation on Solaris 8.0 detects the presence of the Native SLP package and does not install the NovellSLP package. You should make sure that the slpd daemon is running before configuring a new eDirectory server, as eDirectory requires SLP in order to query for duplicate tree names, advertising, etc. To start the slpd daemon on Solaris 8.0: 1. Create the slp configuration file, either by copying /etc/inet/slp.conf.example to /etc/inet/slp.conf or by any alternative method. 2. Start the slpd daemon with the following command: /etc/init.d/slpd start. The slpd daemon will not start if the /etc/inet/slp.conf file does not exist. The network administrator can change the slp configuration by editing the /etc/inet/slp.conf file and restarting the slpd daemon. You can use NovellSLP by installing the NovellSLP package, configuring the /etc/slpuasa.conf file as per the network requirements, and starting the slpuasa daemon. Make sure that the /etc/inet/slp.conf file does not exist (either by removing or making a backup of this file) and stop the /etc/init.d/slpd daemon before using the NovellSLP package. 3.1.4 Upgrading from eDirectory 8.6.2, 8.7, or 8.7.1 to eDirectory 8.7.3.x Upgrading from eDirectory 8.6.2, 8.7, or 8.7.1 to eDirectory 8.7.3 or eDirectory 8.7.3.x rebuilds the LDAP Mapping table and re-adds the inetOrgPerson --> User mapping, causing any new objects created via LDAP to be of the User base class instead of the inetOrgPerson base class. This will only be an issue if you deleted the mapping for inetOrgPerson --> User and defined a real inetOrgperson Class in your previous version of eDirectory. The workaround for this problem is to use ConsoleOne to remove the mapping from the Class Mappings page of the LDAP Group Object. 3.1.5 ndsconfig Creates the nds.conf File and the DIB Directory Even When Configuration Fails If configuration fails, ndsconfig creates the /etc/nds.conf file and the /var/nds/dib directory. You might have to delete these files manually. 3.1.6 Unable to Configure the LDAP Server with Default SSL CertificateDNS Certificate. When configuring eDirectory on Linux or Solaris servers into a replica with many objects or with synchronization problems, you might experience an "Unable to configure LDAP server with default SSL CertificateDNS certificate. Use ConsoleOne/iManager to associate SSL CertificateDNS certificate with LDAP server." error at the end of the ndsconfig process. If the ndsd service is stopped at this point, you can restart it manually by entering the following at the console prompt: /etc/init.d/ndsd start At this point, you might also need to verify that the LDAP Server object for that server was configured with an SSL Certificate. In ConsoleOne/iManager, open the properties pages of the LDAP Server object for this server, select the SSL/TLS Configuration tab, then look at the Server Certificate field on that tab. If it has been populated with the name of an SSL Certificate (for example, "SSL CertificateDNS"), click Close to exit the properties pages. If this field is blank, click the browse button for that field and select a certificate from the list. The default is "SSL CertificateDNS." Then click Apply and Close. Finally, verify that the /var/novell/nici/0 directory (if user 'root' ran the install) contains a 'nicisdi.key' file. If it doesn't, restart the server to synchronize the key file. 3.1.7 Specifying eDirectory Information During the Configuration When specifying the eDirectory information during the configuration, if an invalid Server object container type is specified, the configuration will not detect the error until later, and the eDirectory configuration will fail with a -611 or -634 error which imply an incorrect base class. The valid Server object container types are: - Organization (O) - Organizational Unit (OU) - Domain (DC) 3.1.8 Core DS Component Installation On rare occasions, the eDirectory installation will fail during its core DS component installation. If so, an error message like the following will be displayed: "The DS component of eDirectory failed to install correctly. The error received was: ''. Please view ndsd.log for more detailed information. The eDirectory installation will now be terminated." If you receive this error, you should try to reinstall the product, or remove it and then reinstall it. If the reinstallation fails because of a partial installation already being on your system, or for any other reason, please visit the Novell Support (http://support.novell.com) Web site for possible solutions. 3.1.9 Installing eDirectory 8.7.3 SP10 on a SLES 9 Server - - Installing a Non-replica Server into an Existing Tree When installing a non-replica server into an existing tree (after the third server), you might get install failures. This is due to the fact that SLES 9 ships with a developer/unsupported version of OpenSLP (OpenSLP 1.1.5). To fix this problem, install the supported version of OpenSLP (OpenSLP 1.0.11, available from www.openslp.org) on your SLES 9 system before installing eDirectory 8.7.3 SP10. NOVLembox RPM Fails if X Isn't installed NOVLembox RPM fails if X isn't installed, due to the fact that the JRE libraries have a requirement on the X libraries. In the \embox\build\linux\pkg_embox_lin file, move the following lines from the %install section to the %post section so that there is no dependency checking on these files: cd \$RPM_BUILD_ROOT/$emb_path gunzip -c jre141-Linux.tar.gz | tar xf - rm -f jre141-Linux.tar.gz You should also delete RPM_BUILD_ROOT and recursively delete the JRE directory in the %preun section to clean up the files. There is also a dependency on libstdc++libc6.1-1.so.2. Install the compat package set in order to get this component. Additionally, if you install just the XFree86-libs package, you will get what you need to install NOVLembox. 3.1.10 SLP Issues on OES Linux OpenSLP implements SLPv2 while Novell SLP implements SLPv1. SLPv1 UAs will not receive replies from SLPv2 SAs and SLPv2 UAs will not receive replies from SLPv1 SAs. That is, the clients with OpenSLP will not be able to see trees with Novell SLP. Similarly, the clients with Novell SLP will not be able to see trees with OpenSLP. If both OpenSLP and Novell SLP are running in the network, then one of the OpenSLP (on OES Linux) should be configured as DA. 3.1.11 NICI Issue in RedHat Linux Some RedHat Linux systems, especially the RedHat Advanced Servers, ship a prelink rpm, to help faster loading of applications. However, prelink modifies the image of binaries to achieve faster loading. Once prelink modifies the NICI libraries, the integrity check fails and makes the NICI binaries unusable. To prevent this, you have to explicitly disable the prelink from processing the NICI binaries by adding the following in the /etc/prelink.conf file: -b /usr/lib/libccs2.so.2.6.4 3.1.12 Error Might Prompt while Installing eDirectory 8.7.3 SP10 on AIX You might encounter the following error while installing eDirectory 8.7.3 SP10 on AIX: The "./AIX/NDS.NDSbase.fileset" package included in this patch has a version of "." when it is expected to be "8.7.3.10". To continue the installation past any errors use the -- force switch. To continue the installation, check for the sufficient space in the /tmp directory. 3.1.13 Upgrading from eDirectory 8.7.3.7 to eDirectory 8.7.3.10a eDirectory upgrade fails because ConsoleOne install script forces the following rpms to install: - NDSbase-8.7.3.7-38 - NLDAPbase-8.7.3-34 - NLDAPsdk-8.7.3-34 Work around: Before attempting the eDirectory upgrade again, remove these packages manually through the following steps: 1. Stop eDirectory. /etc/init.d/ndsd stop 2. Uninstall these rpms: rpm -e NDSbase-8.7.3.7-38 rpm -e NLDAPbase-8.7.3-34 rpm -e NLDAPsdk-8.7.3-34 3. Run the eDirectory 8.7.3.10a installer. ./install.sh 4. Start eDirectory. /etc/init.d/ndsd start 3.1.14 Dsbk Utility Fails in eDirectory 8.7.3 SP10a on Solaris 9.0 Dsbk utility fails with an error. 3.2 iMonitor Issues - 3.2.1 Browser Compatibility - 3.2.2 Browsing for Objects in iMonitor Containing Double-byte Characters - 3.2.3 Agent Health Check on a Single Server Tree - 3.2.4 iMonitor Report Does Not Save the Records of Each Hour - 3.2.5 Logging In to iMonitor - 3.2.6 Creation and Modification Timestamps 3.2.1 Browser Compatibility The iMonitor included with this release of eDirectory requires Internet Explorer 5.5 or later or Netscape 7.02 or later or Firefox 2.x or later. 3.2.2 Browsing for Objects in iMonitor Containing Double-byte Characters When using iMonitor to browse an eDirectory tree for objects, an object with double-byte characters in the name might not hyperlink to the object properties correctly. This issue will be resolved in a future release of iMonitor. 3.2.3 Agent Health Check on a Single Server Tree The Agent Health check feature in iMonitor shows a Warning icon in the Results column when run on a single server tree because of the Perishable Data status. This does not mean that the tree is not healthy or that the Agent Health check is not working as designed. Perishable Data indicates the amount of data that has not yet been synchronized to at least one replica. A single server tree, by its nature, means that the data is always at risk for catastrophic failure because there is no other place that the data is replicated. If you lose the hard disk, you lose the data. If you don't want to view health check warnings about Perishable Data or Readable Replica Counts on your single server tree, you can turn off these health checks by editing the /etc/ndsimonhealth.conf file to change the following entries: perishable_data-active: OFF and ring_readable-Min_Marginal: 1 or ring_readable-active: OFF This will get turn off the warnings for Readable Replica Count and Perishable Data. 3.2.4 iMonitor Report Does Not Save the Records of Each Hour The custom reports feature in iMonitor is designed to place the URL specified by the user into the saved report (the saved HTML file) when the custom report is created. That means that when you open a saved custom report that has been run, you will see the live (current) data instead of the data captured by the URL at the time the custom report is run. This issue will be resolved in a future release of iMonitor. 3.2.5 Logging In to iMonitor The username in the iMonitor login page should be dotted and non-typed DN. For example, admin.novell. Other formats (such as dotted and typed, for example, cn=admin.o=novell; or LDAP format, for example, cn=admin,o=novell) are not accepted. An unsuccessful login in iMonitor returns to the login page without displaying any errors. 3.2.6 Creation and Modification Timestamps As UNIX platforms do not maintain the creation time of a file, iMonitor shows both the creation and modification times to be the same. 3.3 Executing ndsimonitor on Solaris 9 Generates an Error Message When you execute ndsimonitor on command line, it fails with the following error: ld.so.1: ndsimonitor: fatal: libiconv.so.2: open failed: No such file or directory To work around this issue, use ndstrace to unload and then load the iMonitor library. - To Unload: ndstrace -c unload imon - To Load: ndstrace -c load imon You can use ndsimonitor from 8.7.3.9, if required. 3.4 ConsoleOne Issues - 3.4.1 ConsoleOne and Open SLP - 3.4.2 Using ConsoleOne to Manage NetWare 4.x Servers - 3.4.3 Creating Server Certificate Objects - 3.4.4 "Operation Failed" Error - 3.4.5 Using the Alt Key to Enter International Characters - 3.4.6 Novell Client Versions Required for ConsoleOne 1.3.6 - 3.4.7 Installing ConsoleOne on UNIX With All Languages Selected - 3.4.8 Adding an LDAP Server or LDAP Group Object Fails Due to Version Incompatibility 3.4.1 ConsoleOne and Open SLP The NOVLc1 package does not get installed during the installation of ConsoleOne on a Linux machine with an Open SLP package. If an Open SLP package is detected on a Linux machine and you want to install ConsoleOne on that Linux machine, install the Novell SLP package first, then run the ConsoleOne install script. 3.4.2 Using ConsoleOne to Manage NetWare 4.x Servers In order to use ConsoleOne to manage a tree containing NetWare 4.x servers (DS v 6.17), IPX must be installed on the management client. Even if ConsoleOne is run from a NetWare box via a mapped drive on the client, the client machine on which ConsoleOne is running must be able to connect natively via IPX. 3.4.3 Creating Server Certificate Objects Creating Server Certificate objects (also known as Key Material objects) is not supported in ConsoleOne on the UNIX platforms. This function is supported through iManager or from ConsoleOne on the Windows platform. 3.4.4 "Operation Failed" Error The error "Operation Failed." The required dependencies were not found. Please refer to Novell documentation for the required prerequisites." indicates that a required SPM client library from the Universal Password feature in NMAS has not been installed or is not available, or that the server or workstation has incomplete or old versions of required eDirectory libraries. To get the most recent libraries, reinstall the Novell Client (Novell Client for Windows NT/2000/XP version 4.9 or later or Novell Client for Windows 95/98 version 3.4 or later on a Windows workstation) or reinstall the latest eDirectory libraries, available on the eDirectory 8.7.3 CD. 3.4.5 Using the Alt Key to Enter International Characters Using the Alt+number keys to enter international characters when naming objects in ConsoleOne causes the characters to display incorrectly. The workaround for this is to use an international keyboard or to copy the extended characters from Notepad or another Windows application into the ConsoleOne text field. Manually upgrading your JRE to version 1.4.1_02 will also fix this problem. 3.4.6 Novell Client Versions Required for ConsoleOne 1.3.6 ConsoleOne errors might be encountered during authentication and password modification operations when running on a Windows workstation with an older version of the Novell Client. ConsoleOne 1.3.6 on Windows requires one of the following: - Novell Client for Windows 95/98 version 3.4 or later - Novell Client for Windows NT/2000/XP version 4.9 or later 3.4.7 Installing ConsoleOne on UNIX With All Languages Selected When installing ConsoleOne on UNIX with all non-English languages selected, you will receive the following message: "One or more of the languages for the specified snap-ins are not available to install or have not been translated for installation.ConsoleOne will continue to install. However, when executing ConsoleOne, some of the snap-ins will display English where the specific language was not available." This issue will be resolved in a future release of eDirectory. 3.4.8 Adding an LDAP Server or LDAP Group Object Fails Due to Version Incompatibility The LDAP ConsoleOne snap-in gives an obsolete version error. To resolve this, do the following: 1. Create the LDAP Server object. 2. Create the LDAP Group object. 3. Add the LDAP Server to the LDAP Group object's Server List. 4. Set the NCP Server to the LDAP Server object's Host Server field. 5. Set SSL CertificateDNS to the LDAP Server object's Server Certificate field in the SSL/TLS Configuration tab. 6. Wait for 10 seconds. 3.5 SNMP Issues - 3.5.1 SNMP on Linux - 3.5.2 Errors While Starting the NDS Subagent - 3.5.3 Restarting ndssnmpsa - 3.5.4 Error While Starting ndssnmpsa - 3.5.5 Issue with 64 Bit Version of Net-Snmp 3.5.1 SNMP on Linux On SLES9, net-snmp 5.1 master agent has a known issue. It prints the message "snmpd: send_trap: Unknown PDU type" and does not send the traps. To avoid this error, you need upgrading net-snmp to 5.1.2 or a later version. On SLES 10, before starting the subagent, export the variable SNMP_MAJOR_VERSION using the following command: export SNMP_MAJOR_VERSION=10 3.5.2 Errors While Starting the NDS Subagent On RedHat Advanced Server 3.0 32 bit, the subagent might fail with the following message: Unable to load library: libnetsnmp.so To resolve this, enter the following before starting the NDS subagent: export LD_PRELOAD=/usr/lib/libnetsnmp.so.5:/usr/l ib/libnetsnmphelpers.so.5:/usr/lib/libnetsn mpmibs.so.5 Even after the above mentioned workarounds, you may continue to get the following error while browsing the NDS MIB through the MIB browser: Connection from callback: 1 on fd 4 You will still get the statistics, and you can ignore the above error messages. 3.5.3 Restarting ndssnmpsa When the master agent is restarted on Solaris, and Linux, ndssnmpsa needs to be restarted. To restart ndssnmpsa, stop ndssnmpsa and then start it again. To stop ndssnmpsa, enter the following: - Solaris: /etc/init.d/ndssnmpsa stop - Linux: /etc/init.d/ndssnmpsa stop - AIX: /etc/ndssnmpsa stop To start ndssnmpsa, enter the following: - Solaris: /etc/init.d/ndssnmpsa start - Linux: /etc/init.d/ndssnmpsa start - AIX: /etc/ndssnmpsa start 3.5.4 Error While Starting ndssnmpsa When you start ndssnmpsa on UNIX, you might get the following errors: Error: eDirectory SNMP Initialization component. Error code: -168 Error: eDirectory SNMP Initialization component. Error code: 9 To resolve this, do the following: 1. Stop the SNMP subagent if it is running. 2. Unload and load ndssnmp as follows: /usr/bin/ndssnmp -u /usr/bin/ndssnmp -l 3. Start the SNMP subagent. 3.5.5 Issue with 64 Bit Version of Net-Snmp To resolve this, you should install net-snmp-32bit rpm on SLES 9 and 10 64 bit platform. This rpm is available on SLES install CDs. ndssnmpsa requires 32-bit netsnmp libraries on 64-bit Linux. 3.6 Increasing the Size of the eDirectory Log Files You can use Novell iManager to increase the maximum size of the eDirectory log files (in iManager, click eDirectory Maintenance Utilities > Log File > specify which server will perform the log file operation > authenticate to the server > Log File Options > enter a new maximum file size) to a large value (such as several MBs). However, the size of the log files can become a problem and might cause eDirectory to stop responding.To solve this problem, increase the heap size allocated to the JVM for iManager by using an environment variable of the following form: TOMCAT_OPTS=-Xmx512m This increases the JVM heap size from the default of 64MB to 512MB. 3.7 Faxparameters Issue with NLDAP NLDAP ignores the faxparameters part of the facsimile telephone number syntax and only allows the printable ASCII string, which is the telephone number. Refer to RFC 2252 for details of the facsimile telephone number syntax. The faxparameters correspond to the bit string component of the NDAP syntax - SYN FAX NUMBER. 3.8 Replacing an Attribute With a Zero Length Value Through ICE Deletes the Attribute Consider the following entry specified in an LDIF file: #Modify an entry : replace the fullName attribute with an empty value dn : cn=user,o=org changetype : modify replace : fullName fullName : Providing this LDIF entry to ICE will delete the fullName attribute. Use the ldapmodify tool to modify such LDIF entries. 3.9 NetMail Version for Upgrading to eDirectory 8.7.3.x Existing Novell NetMail 3.1 users running eDirectory 8.6.x on UNIX platforms and upgrading to eDirectory 8.7.3.x should apply the NetMail 3.10e patch to maintain compatibility with eDirectory. 3.10 Repair Issues - 3.10.1 Running ndsrepair on An NFS Mounted DIB on Linux - 3.10.2 ndsrepair Fails When the dib Directory has a Large Number of Stream File Attributes - 3.10.3 Basic Repair Task in iManager 3.10.1 Running ndsrepair on An NFS Mounted DIB on Linux You might get -732 or -6009 errors while trying to run ndsrepair on an NFS-mounted DIB on Linux systems. 3.10.2 ndsrepair Fails When the dib Directory has a Large Number of Stream File Attributes On SLES 9, If the dib contains more than 1,00,000 stream files ndsrepair -R fails. To work around this issue, run ndsrepair as follows: ndsrepair -R -v no -Ad -av 3.10.3 Basic Repair Task in iManager In iManager 2.5, the eDirectory Maintenance > Basic Repair task has been renamed to eDirectory Maintenance > Repair eDirectory. The functionality remains the same, however. 3.11 Missing IP Address Entry in the /etc/hosts File on Linux On Linux, if the /etc/hosts file contains only the local host entry, the IP address entry should be added. In the /etc/hosts file, the local host entry would be displayed as follows: 127.0.0.1 localhost.localdomain localhost Add the IP address entry to the /etc/hosts file as follows: 3.12 Manpaths - 3.12.1 Updating Manpath for SUSE - 3.12.2 Updating Manpath UnitedLinux 3.12.1 Updating Manpath for SUSE On SUSE, the manpath /usr/man is not included in the list of paths specified in the /etc/manpath.config file. To read eDirectory man pages, add /etc/manpath to the list. Update the MANPATH variable by entering export MANPATH=/usr/ldaptools/man:/usr/man:$MANPA TH. 3.12.2 Updating Manpath UnitedLinux On UnitedLinux, the manpath /usr/man is not included in the list of paths specified in the /etc/manpath.config file. To read eDirectory man pages, add this path to the list. To update the MANPATH variable, type "export MANPATH=$MANPATH:/usr/man" and press Enter. 3.13 Creating LDAP Server and Group Objects in iManager If you use Novell iManager to create LDAP Server and Group objects, click LDAP > LDAP Overview, select the new LDAP Server object, and then click General > Information > Refresh after the LDAP objects have been created. 3.14 ndsconfig cannot Set IP Address for n4u.server.interfaces You can set the IP address to n4u.server.interfaces by editing the nds.conf file. 3.15 Novell Account Management Fails on a Solaris 8 Server Running a Kernel Patch Level of 108528-14 or Higher on Upgrading from eDirectory 8.7 to 8.7.3.x After an eDirectory 8.7 server on Solaris 8 running Novell Account Management is upgraded to eDirectory 8.7.3.x, the Novell Account Management authentication will fail. This will happen only when the Solaris 8 server is running a kernel patch level of 108528-14 or higher. This issue will be fixed in a future release of eDirectory. 3.16 Increasing the Speed of Bulkloads To increase the speed of bulkloads when creating new eDirectory trees, disable Universal Password until the load is complete. For more information, see the Universal Password Deployment Guide (http://www.novell.com/documentation/lg/nw65/univ ersal_password/data/front.html). 3.17 Extended Characters Not Supported by LDAP Tools Extended characters are currently not supported by LDAP tools. You can use ICE to perform operations like add, modify, and delete using appropriate LDIF files. 3.18 OpenSLP Does Not Work on 64-bit SLES 9 OpenSLP does not work on 64 bit SLES 9 as 64 bit SLES 9 ships the 64 bit version of SLP. However, eDirectory supports the 32 bit version of SLP. For eDirectory on SLES to work on OpenSLP, use the 32 bit versions of /usr/lib/libslp.so.1.0.0 and /usr/bin/slpd. 3.19 Error While Starting ndsd with Locale Other Than English Starting the ndsd service with a locale other than English displays the error "Could not load Unicode tables." To bring up an eDirectory server in non-English locales, export /usr/local/lib as follows: export SHLIB_PATH=/usr/local/lib:$SHLIB_PATH 3.20 DirXML Issues - 3.20.1 DirXML Fails to Start After Upgrading to eDirectory 8.7.3.x - 3.20.2 Unable to Start ndsd After Installing DirXML 2.0 on Solaris 3.20.1 DirXML Fails to Start After Upgrading to eDirectory 8.7.3.x Upgrading to eDirectory 8.7.3.x with an existing DirXML installation will cause DirXML to fail on Solaris and Linux. To fix this problem, install the NDSdxevnt library on Solaris or the NDSdxevnt-1.1.1-1.i386.rpm package on Linux. These files can be found in the ./setup directory on the DirXML 1.1a installation CD. For more information, see Solution 10091030 (http://support.novell.com/cgi-bin/search/ searchtid.cgi?/10091030.htm), "DirXML 1.1a Fails to Start After Upgrade to eDirectory 8.7.3," in the Novell Knowledgebase. 3.20.2 Unable to Start ndsd After Installing DirXML 2.0 on Solaris When you create a DirXML driver set, or shortly after DirXML loads, the ndsd process shuts down unexpectedly without a core dump. The /var/nds/ndsd.log file will contain the following message: "Exception java.lang.OutOfMemoryError: requested -569704448 bytes for char in /export1/jdk/jdk1.4.2/hotspot/src/os/solar is/vm/os_solaris.cpp. Out of swap space?" (The exact number might vary.) To fix this problem, complete the following steps: 1. Open /etc/init.d/ndsd. 2. Set GS_FAST_MODE to 0 instead of 1. This issues has been fixed with eDirectory 8.7.3 IR3. 3.21 Hard Cache Considerations for Solaris On Solaris systems with more than 2 GB RAM, setting the hard cache above 1 GB might lead to core dumps. This is because of memory allocation incompatibilities with the memory manager library on Solaris, in some scenarios. To limit the cache to 1 GB, edit the _ndsdb.ini (under the dib directory) as follows: cache=1024000000 You can also modify the cache settings through iMonitor using the Database Cache page under Agent Configuration. Select the Hard limit option and set the Maximum Cache Size in KB. Refer to the Novell eDirectory Performance Tuning Guide (http://www.novell.com/products/edirectory/whitep apers.html) for more information on the eDirectory cache and the default cache settings. 3.22 ICE Plug-in Won't Authenticate in iManager for Import on Linux When you use the Novell Import Convert Export iManager plug-in to import hundreds of users with an LDIF file, you might receive the following error toward the end of the Wizard when you click Start: "ldap_simple_bind failed: 49(Invalid credentials), dn: cn=admin,o=novell" This is a known issue in the iManager plug-in. You can import the same file using the ConsoleOne snap-in, or the following command at the system prompt: ice -S LDIF -f -D LDAP -s -p 389 -d -w 3.23 Errors When Running edirutil -i on Linux On SUSE LINUX Enterprise Server 9 and Red Hat Advanced Server 3.0, the path to Java might be incorrect in the edirutil program, so when you enter the edirutil -i command, you will get errors. First, check to see if Java is installed, using the java -version command. If it is installed, you should get a reply listing the version. If it is not installed, see if you can find Java using the following command: which java Try entering the full path to run it as /usr/lib/java/jre/bin/java -version. If that doesn't work, download and install Java. After Java is working, find out where the eDirectory eMBox tools are located (probably in /usr/lib/nds-modules/embox/eMBoxClient.jar). If they are not in /usr/lib/nds-modules/embox/eMBoxClient.jar, search for the tools using the following command: find / -name eMBoxClient.jar Run java and execute the eMBox command line client. You can leave out the full path specification if the required directory is your current working directory or if the path has been set to the java directory. The full path request looks similar to the following: /usr/lib/java/jre/bin/java -cp /usr/lib/nds-modules/eMBoxClient.jar embox -i 3.24 File Descriptor Limitation on Solaris On Solaris, the ndsd process has a limitation of having a maximum of 256 file descriptors open. To work around this constraint, set the value of the NDSD_USE_STDIO environment variable to 1. 3.25 Cannot View Password Plugin in iManager on Logging in to eDirectory 8.7.3 SP10 When you login to iManager 2.7 after configuring eDirectory 8.7.3 SP10 tree, you may not be able to view Password Roles and Tasks. The Security Services 2.0.5 patch copies newer schema files to the server, however they are not extended by default. Some newer functionality (such as Passwords iManager plug-in) will not work until schema has been extended manually. Please see Manually Extending the Schema (http://www.novell.com/documentation/edir88/index .html?page=/documentation/edir88/edir88/data/amiji j0.html) for instructions on extending schema. Schema needs to be extended once per tree. (The schema files which need to be extended are: nmas.sch, nspm.sch, notf.sch, and nsimpm.sch) 3.26 Nds-uninstall Removes Only 8.7.3.10 eDirectory Administration Utilities When you uninstall eDirectory using nds-uninstall script, it removes only the administration utilities. Server utilities are not removed. It also pops up a message that it is removing 8.7.3.9 administration utilities. To work around this issue: Run nds-uninstall again to remove the server utilities. 4.0 Change Log This section lists the defects that were fixed with this patch and additionally, the modifications made. - 4.1 ds - 4.2 nldap - 4.3 ncpengine - 4.4 install - 4.5 ldap - 4.6 iMonitor - 4.7 dsrepair - 4.8 snmp - 4.9 eMBox - 4.10 httpstk - 4.11 ice - 4.12 jclient 4.1 ds Resolved: Crash that could occur issue when an invalid number of RDNs in tuned name was specified (368835). Resolved: Prevent network addresses being added to objects that don't have it as a schema attribute (379917). Resolved: Issue where Advanced Referral Costing prevented Apache from starting (378880). Resolved: Disable Advanced Referral Costing by default. Resolved: Issue on startup ndsd cores due to memory corruption and a double release of resources. (83020). Resolved: Issue of duplicate password check ignored with "Require Unique Passwords" checked (97104). Resolved: Objects continually synch after partition merge due to ds not putting latest timestamp in inactive child TV replica number (155652). Resolved: ndsd shuts down if an error is returned during ndsconfig add -m (156428). Resolved: Man page created for ndsautotrace utility (158565). Resolved: Dumping core in windows while upgrading from 873 SP8 to 8.8 SP1 during broadcast to stations (164396). Resolved: Nessus scan of Linux server causes ndsd high utilization (192595). Resolved: Heap overflow security vulnerability - (197627&195511\197631&195508). Resolved: Invalid free security vulnerability - (197629/195523). Resolved: DoS security vulnerability - (197711\195510). Resolved: Ndsd cores on object name resolve - (203180). 4.2 nldap Resolved: Added messages in ldap search trace when LDAP skips a "duplicate" attribute (IE., App:Path vs. appPath) (94515). Resolved: SSLv2 disabled in LDAP (156683 & 182127). Resolved: Search now ignores any search predicates which could cause a syntax violation (RFC2251) (155554). Resolved: LDAP Server failing if certificate is unassociated unless der file is exported as trusted root (162974). Resolved: LDAP returning null (EID) on DN syntax instead of converting it to DN (Example: value returned when adding user to a group) (169806/155097). Resolved: LDAP returning non-present values (170841)). Resolved: Log elapsed time for all LDAP operations (177174). 4.3 ncpengine Resolved: Issue where connections would be erroneously destroyed resulting in -625 errors when communicating to the server (378165) Resolved: ndsd cores when ncpengine destroys a NCP connection session. (191182). 4.4 install Fixed ZFS SPKs to allow Zen install of the support pack (NetWare and Windows) (375988). Changed the name of APPENDLOG.NLM to WRITELOG.NLM to account for long file name restrictions during remote installs (NetWare) (376911). Resolved: Edir8738ftf_1 install removes ldapsdk & ldapx from ndsmodules.conf (200329). Now ndsmodules.conf file si backed up and restored. 4.5 ldap Resolved crash that would occur with invalid extensibleMatch filter (373853). 4.6 iMonitor Resolved: Issue where database entry cache percentages were being incorrectly displayed (378905). 4.7 dsrepair Resolved: Issue where illegal attributes that violated class rules on entries were not being purged (379917). Resolved: Dsrepair speed enhancements, especially on non-Netware platforms (83042). Resolved: Destroy selected replica now updates the ndsStatusRepair attribute of the pseudoserver (168102). Resolved: Incorrect port was added to ncpserver and referal list after repair network address (186311). Resolved: Fixed the -at switch (207153\207151). Resolved: Messages now show the progress of object repairs (122521). 4.8 snmp Resolved: Subagent stops after a random amount of time (142769). Resolved: Restarting the SNMP subagent fails with -255 when other locales are used (151067) Resolved: Subagent crashes with a segmentation fault (205042). Resolved: Trap and statistics messages would no longer be displayed if the defs file was not in default location (208663). 4.9 eMBox Resolved: Issue where services could be controlled without being authenticated (357369). Resolved: Issue where user password is displayed in clear text using embox through iManager (93995). 4.10 httpstk Resolved: Issue of remote code execution vulnerability in httpstk (205313). 4.11 ice Resolved: Issue that ICE would not work in French locale (156011). 4.12 jclient Resolved: Issue where incorrect privileges were assigned when there was no password suppiled (83008). 5.0 Documentation Issues - 5.1 eDirectory 8.7.3 Documentation - 5.2 Additional Readme Information 5.1 eDirectory 8.7.3 Documentation The latest eDirectory 8.7.3 documentation is present at the Novell eDirectory 8.7.3 Documentation site (http://www.novell.com/documentation/edir873/inde x.html). The latest version of this readme is available at the Novell eDirectory 8.7.3 Documentation Site (http://www.novell.com/documentation/edir873/inde x.html). 5.2 Additional Readme Information - 5.2.1 Novell eDirectory 8.7.x Readme Addendum - 5.2.2 NMAS Issues - 5.2.3 Certificate Server Issues - 5.2.4 NICI Issues 5.2.1 Novell eDirectory 8.7.x Readme Addendum For information on additional eDirectory issues for this release, refer to Solution #10073723, titled "Novell eDirectory 8.7.x Readme Addendum," in the Novell Knowledge Base (http://support.novell.com). 5.2.2 NMAS Issues For NMAS information, refer to the Security Services Readme (http://www.novell.com/documentation/nmas3 2/index.html) located with the NMAS 3.2 online documentation (http://www.novell.com/documentation/nmas3 2/index.html). 5.2.3 Certificate Server Issues For Certificate Server information, refer to the Security Services Readme (http://www.novell.com/documentation/nmas3 2/readme/security_readme205.html) located with the Novell Certificate Server 2.7 online documentation (http://www.novell.com/documentation/crt33 /index.html). 5.2.4 NICI Issues For NICI information, refer to the Security Services Readme (http://www.novell.com/documentation/nmas3 2/readme/security_readme205.html) located with the NICI 2.7.x online documentation (http://www.novell.com/documentation/nici2 7x). 6.0 Legal Notices Novell, Inc. makes no representations or warranties with respect to the contents or use of this documentation, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to revise this publication and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. Further, Novell, Inc. makes no representations or warranties with respect to any software, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes. Any products or technical information provided under this Agreement may be subject to U.S. export controls and the trade laws of other countries. You agree to comply with all export control regulations and to obtain any required licenses or classification to export, re-export, or import deliverables. You agree not to export or re-export to entities on the current U.S. export exclusion lists or to any embargoed or terrorist countries as specified in the U.S. export laws. You agree to not use deliverables for prohibited nuclear, missile, or chemical biological weaponry end uses. Please refer to http://www.novell.com/info/exports/ (http://www.novell.com/info/exports/) for more information on exporting Novell software. Novell assumes no responsibility for your failure to obtain any necessary export approvals. Copyright 2003-2008 Novell, Inc. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without the express written consent of the publisher. Novell, Inc. has intellectual property rights relating to technology embodied in the product that is described in this document. In particular, and without limitation, these intellectual property rights may include one or more of the U.S. patents listed at http://www.novell.com/company/legal/patents (http://www.novell.com/company/legal/patents) and one or more additional patents or pending patent applications in the U.S. and in other countries. For a list of Novell trademarks, see the Novell Trademark and Service Mark list (http://www.novell.com/company/legal/trademarks/tmlist .html) at http://www.novell.com/company/legal/trademarks/tmlist. html. All third-party products are the property of their respective owners. This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org).